jaku.sh 1.0.0

package/src/core/security/dependency-auditor.js

@@ -0,0 +1,182 @@
+import { createFinding } from '../../utils/finding.js';
+import { execSync } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * Dependency Auditor — Audits project dependencies for known CVEs.
+ * Runs npm audit and parses vulnerability advisories into JAKU findings.
+ */
+export class DependencyAuditor {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.findings = [];
+    }
+
+    /**
+     * Run dependency audit on the project.
+     */
+    async audit() {
+        const projectRoot = process.cwd();
+
+        // Try npm audit first
+        if (fs.existsSync(path.join(projectRoot, 'package-lock.json')) ||
+            fs.existsSync(path.join(projectRoot, 'package.json'))) {
+            await this._runNpmAudit(projectRoot);
+        }
+
+        // Check for known vulnerable patterns in package.json
+        await this._checkPackageJson(projectRoot);
+
+        this.logger?.info?.(`Dependency auditor found ${this.findings.length} issues`);
+        return this.findings;
+    }
+
+    /**
+     * Run npm audit and parse results.
+     */
+    async _runNpmAudit(projectRoot) {
+        try {
+            const lockPath = path.join(projectRoot, 'package-lock.json');
+            if (!fs.existsSync(lockPath)) {
+                this.logger?.debug?.('No package-lock.json found, skipping npm audit');
+                return;
+            }
+
+            let auditOutput;
+            try {
+                auditOutput = execSync('npm audit --json 2>/dev/null', {
+                    cwd: projectRoot,
+                    maxBuffer: 10 * 1024 * 1024,
+                    timeout: 30000,
+                    encoding: 'utf-8',
+                });
+            } catch (err) {
+                // npm audit exits with non-zero if vulnerabilities found — that's expected
+                auditOutput = err.stdout || err.output?.[1] || '';
+            }
+
+            if (!auditOutput) return;
+
+            let auditData;
+            try {
+                auditData = JSON.parse(auditOutput);
+            } catch {
+                this.logger?.debug?.('Failed to parse npm audit JSON output');
+                return;
+            }
+
+            // Parse npm audit v2+ format
+            if (auditData.vulnerabilities) {
+                for (const [pkgName, vuln] of Object.entries(auditData.vulnerabilities)) {
+                    const severity = this._mapSeverity(vuln.severity);
+
+                    this.findings.push(createFinding({
+                        module: 'security',
+                        title: `Vulnerable Dependency: ${pkgName} (${vuln.severity})`,
+                        severity,
+                        affected_surface: `npm:${pkgName}`,
+                        description: `The package "${pkgName}" (${vuln.range || 'unknown version'}) has known security vulnerabilities.\n\n${vuln.via?.map?.(v => typeof v === 'string' ? v : `- ${v.title || v.name}: ${v.url || ''}`).join('\\n') || 'See npm advisory for details.'}\n\nVulnerable range: ${vuln.range || 'unknown'}\nSeverity: ${vuln.severity}\nDirect: ${vuln.isDirect ? 'Yes' : 'No (transitive)'}`,
+                        reproduction: [
+                            '1. Run `npm audit` in the project root',
+                            `2. Observe vulnerability in ${pkgName}`,
+                        ],
+                        evidence: JSON.stringify({
+                            package: pkgName,
+                            severity: vuln.severity,
+                            range: vuln.range,
+                            fixAvailable: vuln.fixAvailable,
+                            isDirect: vuln.isDirect,
+                        }, null, 2),
+                        remediation: vuln.fixAvailable
+                            ? `Run \`npm audit fix\` to automatically resolve. If fix is not compatible, manually update ${pkgName} to a patched version.`
+                            : `No automatic fix available. Check if a newer major version of ${pkgName} resolves the vulnerability, or look for alternative packages.`,
+                        references: vuln.via?.filter?.(v => typeof v === 'object' && v.url)?.map?.(v => v.url) || [],
+                    }));
+                }
+            }
+
+            // Summary
+            if (auditData.metadata?.vulnerabilities) {
+                const meta = auditData.metadata.vulnerabilities;
+                const total = meta.total || Object.values(meta).reduce((a, b) => a + (typeof b === 'number' ? b : 0), 0);
+                this.logger?.info?.(`npm audit: ${total} vulnerabilities found (${meta.critical || 0} critical, ${meta.high || 0} high, ${meta.moderate || 0} moderate, ${meta.low || 0} low)`);
+            }
+        } catch (err) {
+            this.logger?.debug?.(`npm audit failed: ${err.message}`);
+        }
+    }
+
+    /**
+     * Check package.json for known risky patterns.
+     */
+    async _checkPackageJson(projectRoot) {
+        const pkgPath = path.join(projectRoot, 'package.json');
+        if (!fs.existsSync(pkgPath)) return;
+
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+            const allDeps = {
+                ...(pkg.dependencies || {}),
+                ...(pkg.devDependencies || {}),
+            };
+
+            // Check for wildcard versions
+            for (const [name, version] of Object.entries(allDeps)) {
+                if (version === '*' || version === 'latest') {
+                    this.findings.push(createFinding({
+                        module: 'security',
+                        title: `Unpinned Dependency: ${name} (${version})`,
+                        severity: 'medium',
+                        affected_surface: `npm:${name}`,
+                        description: `The dependency "${name}" uses version "${version}". Unpinned dependencies can introduce breaking changes or supply chain attacks when a compromised version is published.`,
+                        reproduction: [
+                            `1. Check package.json`,
+                            `2. "${name}": "${version}" — no version pinned`,
+                        ],
+                        remediation: `Pin ${name} to a specific version range. Use \`npm install ${name}@<version>\` to install a specific version.`,
+                    }));
+                }
+            }
+
+            // Check for known risky scripts
+            const scripts = pkg.scripts || {};
+            const riskyPatterns = ['curl', 'wget', 'eval', 'exec', 'child_process'];
+            for (const [scriptName, scriptCmd] of Object.entries(scripts)) {
+                for (const pattern of riskyPatterns) {
+                    if (scriptCmd.toLowerCase().includes(pattern)) {
+                        this.findings.push(createFinding({
+                            module: 'security',
+                            title: `Risky Script Pattern: "${pattern}" in "${scriptName}"`,
+                            severity: 'medium',
+                            affected_surface: 'package.json scripts',
+                            description: `The npm script "${scriptName}" contains the pattern "${pattern}": \`${scriptCmd}\`. This could indicate a supply chain risk or unsafe operation.`,
+                            reproduction: [
+                                `1. Inspect package.json scripts.${scriptName}`,
+                                `2. Script contains: ${scriptCmd}`,
+                            ],
+                            remediation: `Review the script for safety. Ensure "${pattern}" usage is intentional and secure.`,
+                        }));
+                    }
+                }
+            }
+        } catch (err) {
+            this.logger?.debug?.(`package.json check failed: ${err.message}`);
+        }
+    }
+
+    _mapSeverity(npmSeverity) {
+        const map = {
+            'critical': 'critical',
+            'high': 'high',
+            'moderate': 'medium',
+            'medium': 'medium',
+            'low': 'low',
+            'info': 'info',
+        };
+        return map[npmSeverity?.toLowerCase()] || 'medium';
+    }
+}
+
+export default DependencyAuditor;

package/src/core/security/file-upload-tester.js

@@ -0,0 +1,340 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * FileUploadTester — Tests file upload endpoints for abuse vectors.
+ *
+ * Probes:
+ * - MIME type spoofing (image extension with script content)
+ * - Path traversal in filenames (../../etc/passwd)
+ * - Oversized payload upload
+ * - Dangerous file type acceptance (.php, .jsp, .aspx, .sh)
+ * - Double extension bypass (file.jpg.php)
+ * - Null byte injection (file.php%00.jpg)
+ * - Content-Type header manipulation
+ */
+export class FileUploadTester {
+    constructor(logger) {
+        this.logger = logger;
+
+        this.UPLOAD_INDICATORS = [
+            'type="file"', 'input[type=file]', 'enctype="multipart/form-data"',
+            'dropzone', 'file-upload', 'fileUpload', 'upload',
+        ];
+
+        this.UPLOAD_PATHS = [
+            '/upload', '/api/upload', '/api/files', '/api/images',
+            '/api/media', '/api/attachments', '/api/v1/upload',
+            '/api/v1/files', '/file/upload', '/media/upload',
+        ];
+
+        this.DANGEROUS_EXTENSIONS = [
+            'php', 'php5', 'phtml', 'phar',
+            'jsp', 'jspx', 'jsw',
+            'asp', 'aspx', 'ashx',
+            'sh', 'bash', 'cgi', 'pl',
+            'py', 'rb', 'exe', 'bat', 'cmd',
+            'svg', 'html', 'htm', 'xml',
+        ];
+    }
+
+    /**
+     * Test file upload security.
+     */
+    async test(surfaceInventory) {
+        const findings = [];
+        const baseUrl = this._getBaseUrl(surfaceInventory);
+        if (!baseUrl) return findings;
+
+        this.logger?.info?.('File Upload Tester: starting tests');
+
+        // Discover upload endpoints
+        const uploadEndpoints = await this._discoverUploads(baseUrl, surfaceInventory);
+
+        if (uploadEndpoints.length === 0) {
+            this.logger?.info?.('File Upload Tester: no upload endpoints found');
+            return findings;
+        }
+
+        this.logger?.info?.(`File Upload Tester: found ${uploadEndpoints.length} upload endpoints`);
+
+        for (const endpoint of uploadEndpoints) {
+            // 1. Test MIME type spoofing
+            const mimeFindings = await this._testMIMESpoofing(endpoint);
+            findings.push(...mimeFindings);
+
+            // 2. Test path traversal in filename
+            const pathFindings = await this._testPathTraversal(endpoint);
+            findings.push(...pathFindings);
+
+            // 3. Test dangerous file types
+            const typeFindings = await this._testDangerousTypes(endpoint);
+            findings.push(...typeFindings);
+
+            // 4. Test oversized uploads
+            const sizeFindings = await this._testOversizedUpload(endpoint);
+            findings.push(...sizeFindings);
+        }
+
+        this.logger?.info?.(`File Upload Tester: found ${findings.length} issues`);
+        return findings;
+    }
+
+    async _discoverUploads(baseUrl, surfaceInventory) {
+        const endpoints = [];
+
+        // Check forms for file inputs
+        const forms = surfaceInventory.forms || [];
+        for (const form of forms) {
+            const html = JSON.stringify(form);
+            if (this.UPLOAD_INDICATORS.some(ind => html.toLowerCase().includes(ind.toLowerCase()))) {
+                endpoints.push({
+                    url: form.action ? new URL(form.action, baseUrl).href : baseUrl,
+                    source: 'form',
+                });
+            }
+        }
+
+        // Probe common upload paths
+        for (const path of this.UPLOAD_PATHS) {
+            try {
+                const url = new URL(path, baseUrl).href;
+                const response = await fetch(url, {
+                    method: 'OPTIONS',
+                    signal: AbortSignal.timeout(3000),
+                });
+                // Accept any non-404 as potential upload endpoint
+                if (response.status !== 404 && response.status !== 403) {
+                    endpoints.push({ url, source: 'probe' });
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return endpoints;
+    }
+
+    async _testMIMESpoofing(endpoint) {
+        const findings = [];
+
+        // Create a "JPEG" that's actually a PHP script
+        const spoofedContent = '<?php echo "JAKU_MIME_SPOOF_TEST"; ?>';
+        const boundary = '----JAKUBoundary' + Date.now();
+
+        const body = [
+            `--${boundary}`,
+            `Content-Disposition: form-data; name="file"; filename="innocent.jpg"`,
+            `Content-Type: image/jpeg`,
+            '',
+            spoofedContent,
+            `--${boundary}--`,
+        ].join('\r\n');
+
+        try {
+            const response = await fetch(endpoint.url, {
+                method: 'POST',
+                headers: { 'Content-Type': `multipart/form-data; boundary=${boundary}` },
+                body,
+                signal: AbortSignal.timeout(5000),
+            });
+
+            if (response.ok) {
+                const text = await response.text();
+                if (/success|upload|created|saved|file/i.test(text) &&
+                    !/invalid|rejected|not allowed|unsupported|error/i.test(text)) {
+                    findings.push(createFinding({
+                        module: 'security',
+                        title: 'File Upload: MIME Type Spoofing Accepted',
+                        severity: 'high',
+                        affected_surface: endpoint.url,
+                        description: `Upload endpoint accepted a file with mismatched Content-Type (image/jpeg) and actual content (PHP script). The server validates by Content-Type header rather than file content, allowing server-side script execution.`,
+                        reproduction: [
+                            `1. Upload file named "innocent.jpg" with Content-Type: image/jpeg`,
+                            `2. File content: <?php echo "test"; ?>`,
+                            `3. Server accepts the upload`,
+                        ],
+                        evidence: `MIME type: image/jpeg, Content: PHP script`,
+                        remediation: 'Validate files by magic bytes (file signature), not Content-Type header or extension. Use a media type allowlist. Store uploads outside the webroot. Serve with Content-Disposition: attachment.',
+                        references: ['CWE-434'],
+                    }));
+                }
+            }
+        } catch {
+            // Not reachable
+        }
+
+        return findings;
+    }
+
+    async _testPathTraversal(endpoint) {
+        const findings = [];
+
+        const traversalNames = [
+            '../../../etc/passwd',
+            '..\\..\\..\\windows\\system32\\config\\sam',
+            '....//....//....//etc/passwd',
+            'file.txt%00.jpg',
+        ];
+
+        const boundary = '----JAKUBoundary' + Date.now();
+
+        for (const filename of traversalNames) {
+            const body = [
+                `--${boundary}`,
+                `Content-Disposition: form-data; name="file"; filename="${filename}"`,
+                `Content-Type: text/plain`,
+                '',
+                'JAKU_PATH_TRAVERSAL_TEST',
+                `--${boundary}--`,
+            ].join('\r\n');
+
+            try {
+                const response = await fetch(endpoint.url, {
+                    method: 'POST',
+                    headers: { 'Content-Type': `multipart/form-data; boundary=${boundary}` },
+                    body,
+                    signal: AbortSignal.timeout(5000),
+                });
+
+                if (response.ok) {
+                    const text = await response.text();
+                    if (/success|upload|created|saved/i.test(text) &&
+                        !/invalid|rejected|sanitized|error|\.\..*not allowed/i.test(text)) {
+                        findings.push(createFinding({
+                            module: 'security',
+                            title: 'File Upload: Path Traversal in Filename',
+                            severity: 'critical',
+                            affected_surface: endpoint.url,
+                            description: `Upload endpoint accepted a filename containing path traversal characters ("${filename}"). An attacker can overwrite arbitrary server files or place web shells in accessible directories.`,
+                            reproduction: [
+                                `1. Upload file with filename: "${filename}"`,
+                                `2. Server does not sanitize the filename`,
+                            ],
+                            evidence: `Filename: ${filename}`,
+                            remediation: 'Strip all path components from uploaded filenames. Use a generated UUID as the stored filename. Never use user-supplied filenames for disk storage.',
+                            references: ['CWE-22'],
+                        }));
+                        break;
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    async _testDangerousTypes(endpoint) {
+        const findings = [];
+        const boundary = '----JAKUBoundary' + Date.now();
+        const acceptedTypes = [];
+
+        for (const ext of this.DANGEROUS_EXTENSIONS.slice(0, 6)) {
+            const body = [
+                `--${boundary}`,
+                `Content-Disposition: form-data; name="file"; filename="test.${ext}"`,
+                `Content-Type: application/octet-stream`,
+                '',
+                '// JAKU dangerous type test',
+                `--${boundary}--`,
+            ].join('\r\n');
+
+            try {
+                const response = await fetch(endpoint.url, {
+                    method: 'POST',
+                    headers: { 'Content-Type': `multipart/form-data; boundary=${boundary}` },
+                    body,
+                    signal: AbortSignal.timeout(5000),
+                });
+
+                if (response.ok) {
+                    const text = await response.text();
+                    if (/success|upload|created|saved/i.test(text) &&
+                        !/invalid|rejected|not allowed|forbidden|error/i.test(text)) {
+                        acceptedTypes.push(ext);
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        if (acceptedTypes.length > 0) {
+            findings.push(createFinding({
+                module: 'security',
+                title: 'File Upload: Dangerous File Types Accepted',
+                severity: 'critical',
+                affected_surface: endpoint.url,
+                description: `Upload endpoint accepts dangerous file extensions: ${acceptedTypes.map(t => `.${t}`).join(', ')}. If these files are served by the web server, an attacker can achieve remote code execution.`,
+                reproduction: [
+                    `1. Upload files with extensions: ${acceptedTypes.join(', ')}`,
+                    `2. Server accepts the uploads`,
+                ],
+                evidence: `Accepted dangerous types: ${acceptedTypes.join(', ')}`,
+                remediation: 'Implement a strict file extension allowlist (e.g., only .jpg, .png, .pdf, .doc). Reject all other extensions. Store files outside the web root. Configure the web server to never execute uploaded files.',
+                references: ['CWE-434'],
+            }));
+        }
+
+        return findings;
+    }
+
+    async _testOversizedUpload(endpoint) {
+        const findings = [];
+        const boundary = '----JAKUBoundary' + Date.now();
+
+        // Generate a ~5MB payload
+        const largeContent = 'A'.repeat(5 * 1024 * 1024);
+
+        const body = [
+            `--${boundary}`,
+            `Content-Disposition: form-data; name="file"; filename="large_test.txt"`,
+            `Content-Type: text/plain`,
+            '',
+            largeContent,
+            `--${boundary}--`,
+        ].join('\r\n');
+
+        try {
+            const response = await fetch(endpoint.url, {
+                method: 'POST',
+                headers: { 'Content-Type': `multipart/form-data; boundary=${boundary}` },
+                body,
+                signal: AbortSignal.timeout(15000),
+            });
+
+            if (response.ok) {
+                const text = await response.text();
+                if (/success|upload|created|saved/i.test(text) &&
+                    !/too large|size limit|maximum|exceeded|413|error/i.test(text)) {
+                    findings.push(createFinding({
+                        module: 'security',
+                        title: 'File Upload: No Size Limit Enforced',
+                        severity: 'medium',
+                        affected_surface: endpoint.url,
+                        description: `Upload endpoint accepted a 5MB file without size restrictions. An attacker can exhaust disk space or memory with repeated large uploads (denial of service).`,
+                        evidence: `5MB payload accepted`,
+                        remediation: 'Enforce server-side file size limits (e.g., 2MB for images). Return 413 Payload Too Large for oversized files. Implement per-user/IP upload rate limiting.',
+                        references: ['CWE-400'],
+                    }));
+                }
+            }
+        } catch {
+            // Timeout or rejection — that's fine
+        }
+
+        return findings;
+    }
+
+    _getBaseUrl(surfaceInventory) {
+        const pages = surfaceInventory.pages || [];
+        if (pages.length === 0) return null;
+        try {
+            const parsed = new URL(pages[0].url || pages[0]);
+            return `${parsed.protocol}//${parsed.host}`;
+        } catch { return null; }
+    }
+}
+
+export default FileUploadTester;